Fobos Campaign Using RIG EK to Drop Bunitu Trojan

This campaign has been dubbed “Fobos” because the actors were using the registrant email address fobos@mail.ru. FireEye first published an article back in March 2017, that talked about Fobos in relation to RIG exploit kit called “Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits.” The article mentioned that they started tracking this campaign in the final quarter of 2016 and that the threat actors were using 302 redirects from ads to load the casino-themed Fobos domains. These Fobos domains contained iframes which redirected to RIG exploit kit.

The HTTP traffic from this infection is shown below:

777betx[.]info is one of the Fobos domains which contained an iframe pointing to 213jkhgfdghj[.]ga/bbc/index.php, another domain used by these operators:

213jkhgfdghj[.]ga/bbc/index.php returns a script that contains the iframe pointing to the RIG exploit kit landing page:

This campaign appears to be using RIG exploit kit to drop the Bunitu proxy Trojan. hasherezade posted a really good write up on the Bunitu Trojan called “Revisiting The Bunitu Trojan” which was being dropped by Neutrino exploit kit via malvertising.

The payload was dropped and executed in %Temp%, which then dropped fastdrv.dll in %LocalAppData%:

See the process tree below:

The process tree show fastdrv.dll being dropped in %LocalAppData% and firewall rules being added for allowing connections.

We can see the details of the running process Rundll32:

The Trojan also modifies auto-execute functionality by setting/creating the following values in the registry:

Modifies proxy settings be deleting values:

Network based IOCs found during this infection include the following DNS queries:

As hasherezade stated in the Malwarebytes Lab article (linked above), the Bunitu proxy Trojan “may have various consequences for the infected user. Basically, it uses his/her resources and slows down the network traffic. But it may also frame him/her in some illegal activities carried by the attackers due to the fact that the infected client’s IP is the one visible from the outside.”